Could not add identity "id_ecdsa_sk": agent refused operation

[limpkin]

Hello and thanks for the amazing project!

I'm encountering a few issues trying to setup password-less authentication with your tool on one of my servers.
In short, I'm doing the following: https://github.com/mooltipass/minible/blob/gh-pages/fido2_openssh_from_windows.md
However, ssh-add -S winhello.dll id_ecdsa_sk fails while ssh-add id_ecdsa_sk succeeds ....

[tavrez]

Hello, thanks for reporting Can you write the output you get? Or you get nothing at all? also please write your OpenSSH, and Environment

…

On Mon, Aug 31, 2020 at 1:31 AM Mathieu ***@***.***> wrote: Hello and thanks for the amazing project! I'm encountering a few issues trying to setup password-less authentication with your tool on one of my servers. In short, I'm doing the following: https://github.com/mooltipass/minible/blob/gh-pages/fido2_openssh_from_windows.md However, ssh-add -S winhello.dll id_ecdsa_sk fails while ssh-add id_ecdsa_sk succeeds .... — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#4>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACFM2DO7BGHAZSA43P6BNZTSDK44NANCNFSM4QP2SDOA> .

[tavrez]

Ok, I think you(or the guys who wrote the guide) forgot a step:
From the ssh-agent man page:

-P allowed_providers
Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO authenticator middleware shared libraries that may be used with the -S or -s options to ssh-add(1). Libraries that do not match the pattern list will be refused. See PATTERNS in ssh_config(5) for a description of pattern-list syntax. The default list is “/usr/lib/,/usr/local/lib/”.

As I've tested, if you do not provide an absolute path to winhello.dll, agent refuses the connection, so you should do one of these:

• Start ssh-agent like this: ssh-agent -P /usr/bin/winhello.dll and add the key like this: ssh-add -S /usr/bin/winhello.dll
• Copy the winhello.dll file into lib folder, start agent normally(since it's default path include lib dir) and add the key like this: ssh-add -S /usr/lib/winhello.dll

You can also add export SSH_SK_PROVIDER=/usr/bin/winhello.dll(full path) to ~/.bashrc to stop writing -S parameter every time.
I'll update the readme file to mention this. Please try this and report back to me, thanks.

[limpkin]

will do, thanks a lot :)

[limpkin]

that did the trick!

A few additional questions: I'm getting a "init_winhello: WARNING! This should not be like this!"
Also, when creating the new user, what's the parameter to specify the user?

[tavrez]

A few additional questions: I'm getting a "init_winhello: WARNING! This should not be like this!"

This is related to Microsoft, nothing to do atm, you do not need to worry about it.

Also, when creating the new user, what's the parameter to specify the user?

ssh-keygen -t ecdsa-sk -O user=newuser

[limpkin]

ssh-keygen -t ecdsa-sk -O user=newuser

Hmm that's interesting.... it seems that in this case the user_handle changes yet the user_name remains the same (ssh user). Is that intended? I was expecting the username to change as well :)

edit: just issued a PR :)

[tavrez]

You are right, I think my test for this part was wrong, will correct it ASAP.

[limpkin]

thanks a lot :)

[limpkin]

(hopefully) last question: have you tested interoperability with Linux? Namely, using a Ubuntu client, will it try to access the "ssh" service name?

[tavrez]

I'm not sure what you mean. This module only works in Windows how should I test it with Linux client?
I've tested connecting to Linux server and it was ok.

[limpkin]

I mean: the credentials stored inside the U2F token, can they be used on another OS, importing the same "private" key file?

[tavrez]

Ah yes, the result of this module is exactly same as result without it, I tested this part.

[limpkin]

this is awesome, thanks!